Today, I discovered that one of my machines running exim4 wasn't doing sender verification as I thought it should be. (This is where the server checks to see if the sender is OK, by checking to see if a mailserver for that sender's domain would accept a bounce for them)

By reading the manual, I was able to find that running "exim4 -bhc some.external.ip", or even "exim4 -d -bhc some.external.ip", I could find out what rules and checks were being applied, and why.

After a bit of prodding, this turned out to be because I had the line require verify = senderinstead of require verify = sender/calloutwhich is what I really needed.

Then, I hit a snag. My machine was trying to use my smarthost to verify the sender of an inbound message, and that wasn't working. The solution was to add "verify_sender = false" to the smarthost router definition, to stop it being used to check sender addresses. This also means there's no router available to do the checks....

So, I then added a new dnslookup router, with the option "verify_only", which means it only gets used for verification, never delivery. The routers I have then look like:

Bingo, I then had my sender verification working. True, most people who are doing sender verification will be using dnslookup and not a smarthost, but I'm sure I can't be the only one!

Update: You might find that the default timeout on the sender verify callout is too short, and you'll end up rejecting mail from people with overloaded mail servers. Changing sender/callout to sender/callout=45s will cause the check to wait for up to 45 seconds before timing out. I've found that this doesn't impose too much of an extra load on my servers, but does stop legitimate mail being rejected.